tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/installd.te
Nick Kralevich 0eb0a16fbd bless app created renderscript files 
When an app uses renderscript to compile a Script instance,
renderscript compiles and links the script using /system/bin/bcc and
/system/bin/ld.mc, then places the resulting shared library into the
application's code_cache directory. The application then dlopen()s the
resulting shared library.

Currently, this executable code is writable to the application. This
violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which
requires any executable code be immutable.

This change introduces a new label "rs_data_file". Files created by
/system/bin/bcc and /system/bin/ld.mc in the application's home
directory assume this label. This allows us to differentiate in
security policy between app created files, and files created by
renderscript on behalf of the application.

Apps are allowed to delete these files, but cannot create or write these
files. This is enforced through a neverallow compile time assertion.

Several exceptions are added to Treble neverallow assertions to support
this functionality. However, because renderscript was previously invoked
from an application context, this is not a Treble separation regression.

This change is needed to support blocking dlopen() for non-renderscript
/data/data files, which will be submitted in a followup change.

Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 13:20:22 -08:00

25 lines
728 B
Text
Raw Blame History

typeattribute installd coredomain;
init_daemon_domain(installd)
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
# For collecting bugreports.
allow installd dumpstate:fd use;
allow installd dumpstate:fifo_file r_file_perms;
# Delete /system/bin/bcc generated artifacts
allow installd rs_data_file:file unlink;
Reference in a new issue View git blame Copy permalink